Botnets provide an easy, influencing and hard-to-track way of attacks, and become a positive contributor to the rapid growth and extensive spread of distributed denial of service attacks, or DDoS attacks. A botnet is constructed from tens of thousands of hosts, and supplies the bandwidth and hosts required by large-scale DDoS attacks that relate to huge network traffic, thereby causing serious damage to the attacked networks. As DDoS attacks evolve and develop more sophisticated, the challenges in terms of security and operation posed to Internet service providers (ISPs), Internet content providers (ICPs) and Internet data centers (IDCs) are increasing. These dealers have to detect traffic and perform scrubbing before DDoS attacks endanger their core business and applications, so as to ensure normal network operation and business development.
DDoS attacks can cause vast damage, including preventing the attacked server from normal function, jamming and even paralyzing the entire network, and affecting other servers in the same network. Thus, it is particularly important to find out attacks in networks timely.
The existing methods for detecting attacks are usually based on either using a fixed threshold or creating a traffic dynamic baseline. However, both of these approaches are obviously defective. Fixed thresholds can lead to false positive or negative reports when not set accurately. Traffic dynamic baselines are likely to trigger false positive reports when working with small targets that have small bases and likely to give false negative reports when used in cases where traffic is large and changes are not significant. Moreover, tending to trigger false positive reports in response to normal traffic surges is a common defect of the both. In addition, setting dynamic baselines is not an effective way to detect attacks in the initial stage of a newly created target. There is even the case that when a baseline is created based on attacked traffic, it is impossible to detect any attacks taking place in this target.